Latest Activity

Apache Santuario - XML Security for Java 2.0.0 - part II
1 day ago

By Colm O hEigeartaigh
In the previous blog post, I covered the new StAX-based (streaming) XML Signature functionality coming in Apache Santuario - XML Security for Java 2.0.0. In this post, I will focus on the new streaming XML Encryption functionality that will also be available in this release.

1) XML Encryption test-cases

I have uploaded some test-cases to github to show how to use the new StAX-based API. The tests and setup mirror the XML Signature testcases that I ...
Continue reading →

Revisiting JMS performance. Improvements in CXF 3.0.0
3 weeks ago

By Christian Schneider

Blog post edited by Christian Schneider

Some time ago I did some CXF performance measurements. See How fast is CXF ? - Measuring CXF performance on http, https and jms.

For cxf 3.0.0 I did some massive changes on the JMS transport. So I thought it is a good time to compare cxf 2.x and 3 in JMS performance. My goal was to reach at least the original performance. As my ...


Continue reading →

How fast is CXF ? - Measuring CXF performance on http, https and jms
4 weeks ago

By Christian Schneider

Blog post edited by Christian Schneider

From time to time people ask how fast is CXF? Of course this is a difficult question as the measuered speed depends very much on the Hardware of the test setup and on the whole definition of the test.
So I am trying to explain how you can do your own tests and what to do to make sure you get clean results.

What should you keep in ...


Continue reading →

Hadoop CDC and processes notification with Apache Falcon, Apache ActiveMQ, and Apache Camel
1 month ago

By Jean-Baptiste Onofré
Some weeks (months ? ;)) ago, I started to work on Apache Falcon. First of all, I would like to thanks all Falcon guys: they are really awesome and do a great job (special thanks to Srikanth, Venkatesh, Swetha). This blog post is a preparation to a set of “recipes documentation” that I will propose
Continue reading →

Apache Santuario - XML Security for Java 2.0.0
1 month ago

By Colm O hEigeartaigh
In recent posts I have described some of the new features of the forthcoming Apache WSS4J 2.0.0 release. In particular, I focused on the changes and improvements to the existing "in-memory" (DOM-based) WS-Security implementation. However, the biggest new feature of WSS4J 2.0.0 will be a new streaming (StAX-based) WS-Security stack. In the next couple of posts, we will examine the core streaming XML Security functionality that will be available in the ...
Continue reading →

Apache Karaf, Cellar, Camel, ActiveMQ monitoring with ELK (ElasticSearch, Logstash, and Kibana)
1 month ago

By Jean-Baptiste Onofré
Apache Karaf, Cellar, Camel, and ActiveMQ provides a lot of information via JMX. More over, another very useful source of information is in the log files. If these two sources are very interesting, for a “real life” monitoring, we need some additional features: The JMX information and log messages should be stored in order to
Continue reading →

Apache CXF Authentication and Authorization test-cases
1 month ago

By Colm O hEigeartaigh
I've recently uploaded some test-cases to github that show different ways to authenticate and authorize a web services invocation using Apache CXF. Each project has the same two simple use-cases:
  • A JAX-WS request where the service requires a WS-Security UsernameToken over TLS.
  • A JAX-WS request where the service requires HTTP Basic Auth over TLS.
Each project has an "AuthenticationTest" that just illustrates some tests (including negative tests) for ...
Continue reading →

Apache WSS4J 2.0.0 - part VI
2 months ago

By Colm O hEigeartaigh
This is the sixth of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The fifth article looked at support for signing and encrypting message attachments via the SOAP with Attachments (SWA) Profile 1.1 specification, as well as the associated WS-SecurityPolicy expressions to sign and encrypt attachments. This post looks at the WS-SecurityPolicy model in WSS4J 2.0.0 and how it is used by the streaming ...
Continue reading →

Feeling Hawkish about OAuth2 ?
2 months ago

By Sergey Beryozkin
You all know the recent OAuth history of course, Eran Hammer, the author of  popular OAuth1 specification, leaving the OAuth2 work group, with OAuth2 not getting much of a praise from Eran afterwards.
 
Eran has started several projects afterwards, Hawk and Oz in particular.  The former is the evolution of the MAC draft Eran and others authored as part of the OAuth2 work, the latter is the alternative to OAuth2.

Now, I do like the OAuth2 ...
Continue reading →

You're gonna be a star with CXF !
2 months ago

By Sergey Beryozkin
I've happened to listen to one of my favorite songs, All the Way to Reno from R.E.M, just recently, which probably shows me being not exactly very young :-).

Apparently the text has a lot of subtle meanings but one really can't beat its gentle rhythm leading to the listener having a kind of 'life is good' feeling, being optimistic.

"You're gonna be a star", you really can and you will...Feeling the excitement has gone out of the web services ...
Continue reading →

Apache WSS4J 2.0.0 - part V
2 months ago

By Colm O hEigeartaigh
This is the fifth of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The fourth article looked at the ability to encrypt passwords in Crypto properties files. This post looks at support for signing and encrypting message attachments via the SOAP with Attachments (SWA) Profile 1.1 specification, as well as the associated WS-SecurityPolicy expressions to sign and encrypt attachments. Note that there ...
Continue reading →

Use OAuth2 tokens to protect CXF SOAP endpoints
2 months ago

By Sergey Beryozkin
So you are a happy Apache CXF developer working with its second-to-none WS SOAP front-end, creating SOAP endpoints protected by WS-Security. Your friends from the other team have deployed few CXF JAX-RS endpoints protected by the OAuth2 filter validating the incoming OAuth2 tokens with the remote OAuth2 server.

Now, you really, really, really want to get your SOAP client code use OAuth2 tokens too, the same tokens non-SOAP RS clients use to access RS ...
Continue reading →

Apache WSS4J 2.0.0 - part IV
2 months ago

By Colm O hEigeartaigh
This is the fourth of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The third article looked at some changes in the area of caching tokens to detect replay attacks. This post looks at a new feature of WSS4J 2.0.0, which is the ability to encrypt passwords in Crypto properties files.

1) Crypto properties

Apache WSS4J uses the Crypto interface to get keys and certificates for encryption/decryption and ...
Continue reading →

Stateless OAuth2 providers in CXF 3.0.0
2 months ago

By Sergey Beryozkin
Writing a proper OAuth2 data provider typically involves persisting the data such as access token, refresh token and transient authorization code representations in the storage of some sort (relational database, etc).

It is also a well-known fact that major OAuth2 providers often have the access token state encrypted - the clients effectively keep the token state, the server does not need to worry about persisting and looking up the tokens. It is ...
Continue reading →

Apache WSS4J 2.0.0 - part III
2 months ago

By Colm O hEigeartaigh
This is the third of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The second article grouped together some new features that were too small to warrant a separate article on their own. This article will focus on some changes in the area of caching tokens to detect replay attacks.

1) Replay Attack detection in Apache WSS4J 1.6.x

Please see a previous article I wrote which covers what Replay Attacks ...
Continue reading →

Features coming in Fediz 1.2 - REST
2 months ago

By Oliver Wulff
The work for Fediz 1.2 has started and introduces a bunch of new features for the IDP. This post shall introduce the new features to initiate the discussion (recommended in the CXF Dev Mailing list) now. These features become available in the new minor release. Therefore, the branch trunk is has been changed to this version. The new features are:
  • Single Logout

    The IDP supports to logout from all web applications in one click according the ...


Continue reading →

Apache WSS4J 2.0.0 - part II
3 months ago

By Colm O hEigeartaigh
This is the second of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The first article gave an overview of the new features, detailed the new project structure, and covered a migration guide for existing users. This blog post groups together the new features that are too small to warrant an article on their own.

1) Kerberos Signature/Encryption support

Support was added in WSS4J 1.6.2 to obtain a ...
Continue reading →

SAML "OneTimeUse" support in Apache CXF 2.7.8
3 months ago

By Colm O hEigeartaigh
Apache WSS4J 1.6.13 contains a number of features to support working with SAML 2.0 tokens with a "OneTimeUse" Condition. Firstly, it is now possible to create a SAML 2.0 token with this attribute via the ConditionsBean. Secondly, support has been added to cache any token Identifier which has a "OneTimeUse" Condition. The idea is that any SAML 2.0 token with a "OneTimeUse" Condition cannot be used again (or replayed). Hence, this is another form of ...
Continue reading →

Apache WSS4J 2.0.0 - part I
3 months ago

By Colm O hEigeartaigh
Apache WSS4J is an open-source Java implementation of the security standards for web services. The project was founded in 2004 and is widely used, including by the web service stacks Apache CXF and Apache Axis. Apache WSS4J 1.6.0 was released in April 2011, and featured a wide range of improvements such as support for SAML 2.0 assertions. This blog post is the first in a series of articles on the new features and changes that will be arriving in the ...
Continue reading →

How to hack into any default apache karaf installation
3 months ago

By Christian Schneider

Blog post added by Christian Schneider

Apache karaf is an open source OSGi server developed by the Apache foundation. It provides very convenient management functionality on top of existing OSGi frameworks. Karaf is used in several open source and commercial solutions.

Like often convenience and security do not not go well together. In the case of karaf there is one ...


Continue reading →
More Articles (+10)

Pages

Subscribe to Talend Community Coders aggregator